virt-aa-helper: Allow swtpm to fsync on dir

[PATCH] virt-aa-helper: Allow swtpm to fsync on dir

Posted by Stefan Berger 2 years, 9 months ago

Allow swtpm (0.7.0 or later) to fsync on the directory where it writes
its state files into so that "the entry in the directory containing the
file has also reached disk" (fsync(2)).

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/security/virt-aa-helper.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 52cfebf6e0..e21557c810 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1250,8 +1250,11 @@ get_files(vahControl * ctl)
                 "  \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
                 RUNSTATEDIR, shortName);
             /* Paths for swtpm to use: give it access to its state
-             * directory, log, and PID files.
+             * directory (state files and fsync on dir), log, and PID files.
              */
+            virBufferAsprintf(&buf,
+                "  \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n",
+                LOCALSTATEDIR, uuidstr, tpmpath);
             virBufferAsprintf(&buf,
                 "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
                 LOCALSTATEDIR, uuidstr, tpmpath);
-- 
2.31.1

Re: [PATCH] virt-aa-helper: Allow swtpm to fsync on dir

Posted by Michal Prívozník 2 years, 9 months ago

On 7/13/21 8:38 PM, Stefan Berger wrote:
> Allow swtpm (0.7.0 or later) to fsync on the directory where it writes
> its state files into so that "the entry in the directory containing the
> file has also reached disk" (fsync(2)).
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  src/security/virt-aa-helper.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 52cfebf6e0..e21557c810 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1250,8 +1250,11 @@ get_files(vahControl * ctl)
>                  "  \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
>                  RUNSTATEDIR, shortName);
>              /* Paths for swtpm to use: give it access to its state
> -             * directory, log, and PID files.
> +             * directory (state files and fsync on dir), log, and PID files.
>               */
> +            virBufferAsprintf(&buf,
> +                "  \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n",
> +                LOCALSTATEDIR, uuidstr, tpmpath);
>              virBufferAsprintf(&buf,
>                  "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
>                  LOCALSTATEDIR, uuidstr, tpmpath);
> 

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Although it took me a bit to realize that 0.7.0 is yet to be released :-)

Michal

Re: [PATCH] virt-aa-helper: Allow swtpm to fsync on dir

Posted by Stefan Berger 2 years, 9 months ago

On 7/14/21 3:13 AM, Michal Prívozník wrote:
> On 7/13/21 8:38 PM, Stefan Berger wrote:
>> Allow swtpm (0.7.0 or later) to fsync on the directory where it writes
>> its state files into so that "the entry in the directory containing the
>> file has also reached disk" (fsync(2)).
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>>   src/security/virt-aa-helper.c | 5 ++++-
>>   1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>> index 52cfebf6e0..e21557c810 100644
>> --- a/src/security/virt-aa-helper.c
>> +++ b/src/security/virt-aa-helper.c
>> @@ -1250,8 +1250,11 @@ get_files(vahControl * ctl)
>>                   "  \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
>>                   RUNSTATEDIR, shortName);
>>               /* Paths for swtpm to use: give it access to its state
>> -             * directory, log, and PID files.
>> +             * directory (state files and fsync on dir), log, and PID files.
>>                */
>> +            virBufferAsprintf(&buf,
>> +                "  \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n",
>> +                LOCALSTATEDIR, uuidstr, tpmpath);
>>               virBufferAsprintf(&buf,
>>                   "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
>>                   LOCALSTATEDIR, uuidstr, tpmpath);
>>
> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
>
> Although it took me a bit to realize that 0.7.0 is yet to be released :-)

Right. And I am thinking of deactivating the 'offending' fsync in the 
Ubuntu version for quite a while until this AppArmor fix here has 
propagated.

    Thanks for pushing.

    Stefan

>
> Michal
>

Re: [PATCH] virt-aa-helper: Allow swtpm to fsync on dir

Posted by Michal Prívozník 2 years, 9 months ago

On 7/14/21 9:13 AM, Michal Prívozník wrote:
> On 7/13/21 8:38 PM, Stefan Berger wrote:
>> Allow swtpm (0.7.0 or later) to fsync on the directory where it writes
>> its state files into so that "the entry in the directory containing the
>> file has also reached disk" (fsync(2)).
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>>  src/security/virt-aa-helper.c | 5 ++++-
>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>> index 52cfebf6e0..e21557c810 100644
>> --- a/src/security/virt-aa-helper.c
>> +++ b/src/security/virt-aa-helper.c
>> @@ -1250,8 +1250,11 @@ get_files(vahControl * ctl)
>>                  "  \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
>>                  RUNSTATEDIR, shortName);
>>              /* Paths for swtpm to use: give it access to its state
>> -             * directory, log, and PID files.
>> +             * directory (state files and fsync on dir), log, and PID files.
>>               */
>> +            virBufferAsprintf(&buf,
>> +                "  \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n",
>> +                LOCALSTATEDIR, uuidstr, tpmpath);
>>              virBufferAsprintf(&buf,
>>                  "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
>>                  LOCALSTATEDIR, uuidstr, tpmpath);
>>
> 
> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
> 

Just realized that you might not have commit access after we switched to
gitlab. So I went ahead and pushed this for you.

Michal

Re: [PATCH] virt-aa-helper: Allow swtpm to fsync on dir

Posted by Neal Gompa 2 years, 9 months ago

On Tue, Jul 13, 2021 at 2:42 PM Stefan Berger
<stefanb@linux.vnet.ibm.com> wrote:
>
> Allow swtpm (0.7.0 or later) to fsync on the directory where it writes
> its state files into so that "the entry in the directory containing the
> file has also reached disk" (fsync(2)).
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  src/security/virt-aa-helper.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 52cfebf6e0..e21557c810 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1250,8 +1250,11 @@ get_files(vahControl * ctl)
>                  "  \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
>                  RUNSTATEDIR, shortName);
>              /* Paths for swtpm to use: give it access to its state
> -             * directory, log, and PID files.
> +             * directory (state files and fsync on dir), log, and PID files.
>               */
> +            virBufferAsprintf(&buf,
> +                "  \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n",
> +                LOCALSTATEDIR, uuidstr, tpmpath);
>              virBufferAsprintf(&buf,
>                  "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
>                  LOCALSTATEDIR, uuidstr, tpmpath);
> --
> 2.31.1
>

Patch looks fine to me.

Reviewed-by: Neal Gompa <ngompa13@gmail.com>



--
真実はいつも一つ！/ Always, there's only one truth!